1.The Development of Personal Data Protection Law
In consequences of rapid advancement in information technologies, adopting a data base management approach in provision of goods and services and the rising amount of data processing activities conducted by third parties on daily basis, the necessity for a protection of personal data has deepened increasingly. (1)
All these improvements led to the ubiquitous information technology society we have today, thus personal data became subject of international activities. Therefore, they protected by both national and international legal regulations.
1.1. Personal Data Protection Law in International Legislations
1.1.1. The European Convention on Human Rights
Although the Law on the Protection of Personal Data seems to be a newer subject that has entered our lives with the age of technology, it has its foundations based on European Convention on the Protection of Human Rights and Freedoms Article 8, titled Respect for Private and Family Life. Since there was no specific need for the protection of personal data at the date of the contract in 1950, there are not any regulation specified in the contract regarding this issue. Over time the rapid development of technology and the digitalization of the service sector, brought a demand for the protection of personal data as a fundamental right so it has begun to be evaluated within the scope of Article 8 of the contract.
At the same time, with the case law developed by the European Court of Human Rights, personal data is legally protected by fundamental rights and freedoms such as freedom of expression, the right to be forgotten, respect for human dignity, and the right to information.
1.1.2. Council of Europe Convention No.108 on Data Protection
These technologies also raise threats to privacy. In particular, the commodification of personal data is likely to impact information privacy by leading to an increase in data trade. In addition to the freedom of individuals to determine the fate of their own data, the need to ensure the privacy of this data has led to the necessity to make a specific arrangement for the protection of personal data. (2)
In line with this necessity, the first concrete step taken regarding the Law on the Protection of Personal Data in the international arena is the Convention No.108 on Protection of Individuals Against Automatic Processing of Personal Data prepared by the Council of Europe. The contract is the first international document on the protection of personal data and it has been signed by Turkey on January 28, 1981. Since the contract set out a legal framework about data protection law, the implementation of this contract in the domestic law of the states depend on the states to enact ratification laws. Although Turkey is among the Signatory States to the Convention No. 108 since 1981, the ratification procedure has not been fulfilled until 2016. With the preparation of the implementing law, the contract was published in the Resmi Gazete (Official Journal) dated 17 March 2016 and numbered 29656 and included in the domestic law. The main purpose of this contract is to protect every individual with regard to the processing of personal data, regardless of their nationality or place of residence, and thus to contribute to the respect to be shown to the human rights and fundamental freedoms of individuals, in particular the right to privacy. (3) The Convention has guided 55 countries (4) in the field of personal data protection law. This agreement set the framework of the basic concepts of data protection law such as sensitive data, automatic processing of data, data processor, data owner’s rights and general principles in data processing.
In the following years the agreement has been modernized due to the new protection necessities arises from the development in technology. Although disputes regarding personal data violations at the international level are resolved with the GDPR, a special emphasis must be put on to be a party to the new version of this convention. According to the General Data Protection Regulation (GDPR), which can also be applied to institutions and organizations operating outside the European Union, it is considered as an evaluation factor whether the relevant countries are parties to Convention 108+ in the qualification decisions to be made by the European Commission regarding data transfers from the European Economic Area to third countries. (6)
1.1.3. General Data Protection Regulation
The European Union General Data Protection Regulation No. 2016/679, which is the most up-to-date and comprehensive regulation in the field of Personal Data Protection Law, was adopted on April 14, 2016 and came into force on May 25, 2018. Personal data which was previously protected by various international regulations, was updated with GDPR in line with the current needs and enacted as a regulation. One of the main reasons for this reform in the field of Personal Data Protection is the different implementation of existing regulations by member states and the failure to ensure uniform data protection rules within the EU. The Regulation eliminates this difference and provides a uniform personal data protection for EU residents as it can be applied directly without the need for member states to pass an implementing law to make it binding. The Regulation adopts the “one continent one law principle”, which expresses the ease of acting within the framework of a single binding law within the borders of the EU, instead of facing different regulations in all member states for real and legal persons. Another one of the steps taken to ensure uniformity is the “one-stop shop principle”; which means that organizations established in the EU and performing cross-border processing are subject to a single authority (Lead Supervisory Authority) affiliated to the member state where the central institution is located.
Also the Regulation obligates organizations which meet the certain criteria to appoint a Data Protection Officer (DPO) to audit the compliance of data processing activities within the borders of the European Union with the provisions of the GDPR. (6)
1.2 Personal Data Protection Law in Turkish Legislations
1.2.1. The Constitution of 1982
For a long period of time, no particular regulation was made in the context of personal data and it was protected by general legal regulations within various legislations. For example, between Articles 135-150 of the Turkish Criminal Code No. 5237, illegal recording of personal data, giving it to others, dissemination, seizure and non-destruction are regulated as crimes. Likewise, the Articles 23-25 of the Turkish Civil Code titled “Protection of Personality” have been indirectly applied to personal data.
One of the most critical step stones in national law about personal data protection was the constitutional amendment made in 2010 with the Law No. 5982. With this amendment, a clause has been added to Article 20 of the Constitution and personal data has been constitutionally guaranteed within the scope of “the right to privacy and protection of private life”. According to this Article, everyone has a right to protection of his/her own personal data. The right to data protection confers upon each individual the powers to be informed of his/her personal data, to have access to data, to request the correction or erasure and to find out if his/her data are used in accordance with the prescribed purposes. Personal data shall only be processed under the grounds put forward by the law or with the explicit consent of the data subject. (7)
1.2.2. Personal Data Protection Law No.6698
The right to data protection, which became a fundamental right with the constitutional amendment in 2010, can only be limited by law, pursuant to both the relevant article 20 of the constitution and the provision of the 13th article on the limitation of fundamental rights. Therefore, on 26 December 2014, “Personal Data Draft Law on Conservation” to the Grand National Assembly of Turkey presented and the Law on the Protection of Personal Data No. 6698 (DPL) has then been adopted on 24 March 2016 and published in the Resmi Gazete (Official Journal) of 7th of April 2016.
The Law aims to protect individuals’ fundamental rights and freedoms (in particular, the right to privacy) with regard to data processing and to administer all rules and procedures to be implemented during processing activities.
2. Territorial Scope of GDPR and DPL
Law No. 6698 applies to all natural and legal persons’ data processing activities that are performed by automatic means wholly or partly, and also by manual means on the condition that the related processing activity should be part of a data filing system (Article 2). Therefore, if a processing activity has made completely or partially automatic the Turkish DPL will be applied. Nevertheless, manual data processing like paper-based records of employees’ personal data can be covered provided that these data are involved in a filing system.
Although the Law No. 6698 has determined the legal rules on personal data at the national level, the territorial scope of European Union General Data Protection Regulation is also important for the institutions and organizations in Turkey. Because the Regulation is an extra-territorial regulation that also applies to non-European Union member states with its feature of extending the protection of personal data in terms of location.
The main purpose of the EU General Data Protection Regulation is to protect the privacy of residents of EU member states. Therefore, even if the regulation has not been realized within the borders of the EU, it can also be applied to extra-regional data processing activities in the presence of the specified conditions. Article 3 of the GDPR states that:
If companies established in Turkey interacts in any way with a person residing in the European Union through methods such as selling goods and services to people in the EU, providing goods and services to EU users via online platforms, monitoring the consumption habits of individuals, or if they are processing the data of people residing in the EU with different other methods, they will be subject to the Regulation. In other words, companies established in Turkey that fulfill the above-mentioned conditions, even if they are not within the borders of the EU, may also have legal responsibilities within the scope of the Regulation.
Likewise, a similar regulation in Article 9 of DPL states that the law refers to a dual protection in order to prevent the processing and storage of the data collected within the borders of Turkey. According to this, if the domestic law of the country that data is being transferred abroad to provides a stronger legal protection than the Turkish DPL, that domestic law will be applied to transactions. If it provides a weaker legal protection regarding the processing and storage of data than the regulations of the country in question, this time at least it is foreseen to take measures in accordance with the provisions of the DPL.
3.Material Scope of GDPR and DPL
GDPR and DPL provisions are applied to all kinds of personal data of natural persons that are processed, stored, shared with third parties and transferred abroad.
3.1. Personal Data
Personal data is defined as any information relating to an identified or identifiable natural person in Article 3 of Law No. 6698.
In a similar definition, GDPR states that personal data; means any information relating to an identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (8)
The regulations in GDPR and DPL (Data Protection Law) as they evaluated together, shows that a common definition of personal data has been made and the definition has common elements. The provisions in both regulations are designed to grant a protection only to natural persons. In other words, legal persons’ data cannot benefit from the guarantees envisaged.
Furthermore there is no limitation specified in the regulations in terms of nature of the data, any information that makes a natural person identified or identifiable is defined as personal data.
Another important point to consider in this regard is that personal data does not have to be accurate in order to be covered by the protection. Even if the information is inaccurate, it’s still going to be considered as personal data if it makes a natural person identifiable. In fact, this data must be considered as personal data in order to claim the right to obtain information, rectification or destruction.
3.2. Special Categories of Personal Data (Sensitive Personal Data)
The concept of sensitive personal data is not defined in the Law, whereas an explanatory for “special categories of data” listed. Article 6/1 of the law states; Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.
GDPR has a similar definition in terms of sensitive personal data except some of the listed categories as clothing, association or foundation membership, sect and other belief information were excluded. Moreover unlike GDPR, Turkish DPL did not include sexual orientation while counting sexual life within the regulation. It can be demonstrated that this gap can be filled by practices of the legislations, as the Personal Data Protection Board decisions states that sensitive data is “data that would expose the person to discrimination” due to their nature.
The article 9/2 of GDPR, which regulates the circumstances where sensitive data can be processed, it is seen that the regulation has moved away from the strict regime on the processing of personal data. It appears to be the reason of this is that data processing activities are inevitable for one’s own and public interest, public health and public order in some circumstances, and the regulation gives importance to the right to act freely on individuals’ own data as much as the right to the protection of personal data.
Furthermore, Article 2/1(a) of GDPR has brought an exception to the one continent one law principle and gives the freedom to make a regulation in State’s domestic law which rules that Union or Member State can provide a prohibition referred to sensitive data processing cannot be lifted by the data subject’s consent.
In conclusion, as seen in both regulations, the sensitivity of data arises from the possibility that the data subject may be harmed, excluded, or exposed to discrimination, in an event that people other than the data subject have knowledge on this particular data. Food choice information that shows the religious belief of the person when buying a plane ticket can be an example for this kind of personal data. (9)
The categorization of personal data in above mentioned way comes from the possibility of individual’s fundamental rights and freedoms (such as non-discrimination) more likely to be violated by misuse of this kind of personal data.
Av. İrem Mutlu
Antalya Bar Association
1. Bilir, Prof. Dr. Faruk. Kişisel Verilerin Korunması Kişinin Kendisinin Korunmasıdır. [röp.] Sezen Yüce. trtakademi. Ocak 2021.
2. Schwartz, Paul M. Property, Privacy, and Personal Data. Harvard Law Review. 2004, Cilt 117, 7, s. 2072.
3. Article 1. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. 1981.
4. Chart of signatures and ratifications of Treaty 108. Council of Europe. [Çevrimiçi] [Alıntı Tarihi: 24 11 2022.] https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=108..
5. Convention 108 and Protocols. Council of Europe. [Çevrimiçi] https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1.
6. Article 37. General Data Protection Regulation. 2016.
7. Kişisel Verilerin Korunması Alanında Uluslararası ve Ulusal Düzenlemeler. Kişisel Verilerin Korunması Kurumu. [Çevrimiçi] [Alıntı Tarihi: 10 12 2022.] https://www.kvkk.gov.tr/Icerik/4183/Kisisel-Verilerin-Korunmasi-Alaninda-Uluslararasi-ve-Ulusal-Duzenlemeler..
8. Article 4. General Data Protection Regulation. 2016.
9. Kaya, Cemil. Avrupa Birliği Veri Koruma Direktifi Ekseninde Hassas (Kişisel) Veriler ve İşlenmesi. İstanbul Üniversitesi Hukuk Fakültesi Mecmuası. 2011, Cilt 69, 1-2, s. 322.